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* Bold claims get lots of press 


e Most people don't know enough to 
evaluate these claims 


* Whether you feel safer or even more 
scared should be based on facts 


e YOU 


HACKING AND PENETRATION 


TESTING WITH Low 
Power Devices 
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Who is Dr. Р 
may know me as a hardware hac m also... 


- Holder of 12 aviation ratings, all cunt, 


* Commercial Pilot 

e Flight Instructor 

e Aircraft Mechanic 

* Inspection Authorization holder 
* Avionics Technician 


- Have thousands of hours of flight time 
- Aircraft builder 


- Have worked on the development of avionics found in 
modern airliners 


г 
+— 
2 
=; 
|= № 
GE 
<= 
а. 


ША” ; Who Is Captain Polly 
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• Thousands of hours in airliners and 
small aircraft 


e Aviation professor 
e Head of college simulator program 


e Spouse of a current airline pilot 


What you will learn 


FLIGHT TIME [ES 
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Transponders 
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Collision avoidance 
- GPS 
Autopilots 


Avionics buses and networks 


Attacks being presented by others 


. Some commonly discussed 
attacks 


e Hacking ADS-B 
e Hacking engine systems 
e Hacking ACARS 
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Ground Station to Control Tower 


Let's get this out of the way to 


start 


* All aircraft feature unhackable 
mechanical backup instruments 
e You A affect the autopilot operation 
- If pilot(s) notice they will disconnect 


- Anything you attempt will >” result in 
alerts = 


Attacking avionics networks 


- Not connected to anything useful 
- Require specialized hardware 


e Newer aircraft use a modified version of 
Ethernet known as ARINC 664 or AFDX 


ARINC 664 апа АЕО ОХ 


- Can't just start sending packets 
- Never wireless 

- Some security in place 

* Not connected to entertainment system 


e Not connected to in-flight wifi 


Meet ARINC 664 aka АЕО ОХ 


e Allows the use of common off the shelf 
(COTS) components vs ARINC 429 
which is proprietary 

e Built on Ethernet, but not the same 

- Uses redundant channels 


- Assigns time slices to avoid collisions 
and make it deterministic 


ARINC 664 Virtual Links 


e 1 and only 1 sender 
* 1 ог more receiver 
e Timeslicing is used to avoid collisions 


- Bandwidth Allocation Gap (BAG) determines 
size of timeslice 


- Jitter (max latency — min latency) determined 
by number of VL and BAG 


End System 


Integrity Checking К 
Detect and eliminate Eliminate 


invalid frames redundant frames 


Application 


Integrity Checking 
Detect and eliminate 
invalid frames 
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AFDX Connections 


Avionics Device X 


Ethernet 


Internal 


Ethernet 


Avionics Device Y 


Ethernet 


Internal 


Ethernet 


ARINC 664 in real life 
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Tight Integration with AR 


TUNING BACH 
CONTROL HE 


«1 


2 


COMM 


DIGITAL 
AUDIO 


- FORWARD 
AIRPLANE AIRPLANE 
SYSTEMS SYSTEMS 

- FADEC 14/18 - FADEC 2A/2B 

- LEFT ENGINE - RIGHT ENGINE 
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„Entertainment Systems 
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Device (МЕР) 
Never connected to ARINC 
429/629/664 

Remember that the avionics network 1$ 
never wireless and not compatible with 
your friendly TCP/IP 


In-flight Entertainment 
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Boeing 777 Confusion 


network to be connected to other 
networks such as the aircraft 
information network 


* FAA granted this special condition on 
11/18/13 provided that a network 
extension device (NED) was used and 
certain conditions were met 


777 Confusion (contd) 


The applicant must ensure that the design 
provides 


, access by 
unauthorized sources internal to the airplane. 
The design must prevent inadvertent and 
malicious changes to, and all adverse impacts 
upon, airplane equipment, systems, networks, 
or other assets required for safe flight and 
operations. 


Meet NED the Network 
Extension Device 
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* Like any gateway each path must be 
programmed 
e FMS does not receive input from NED 
- Cannot send bogus commands to FMS 


- If NED is compromised may be possible 
to impersonate another device 


Example NED implementation 
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- Not 664 we've been discussing 
- Really not Ethernet 


e The 777 Is essentially the only plane to 
use ARINC 629 


- Harder to hack than ARINC 664 


Airliner Entertainment System 


Connection 
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Hacking In-flight Wireless 


Attacking ADS-B/ADS-A 


No security in protocol 


Could create fake weather reports 


Could be jammed 
Not likely to affect TCAS 
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ADS-B (broadcast) 


> Intended to improve flying where RADAR 
coverage 15 limited 


e Part of a Free Flight system planned for the 
future 


e Provides traffic and weather where available 


* Used by small planes to broadcast position 
information 


ADS-A (addressable) 


* ADS-A —- addressable cable box with pay-per-view, 
etc 


Allows specific airplanes to send/receive messages 


- Allows lower separation outside of RADAR 
coverage (FANS) 


Airliners use neither ADS-B or ADS-A for collision 
avoidance 


- Can be VHF, HF, or Satellite based 


Collision Avoidance 
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transponder (ADS-B in) 
- Only available in some areas 


e Aa - Not authoritative 
wie на! — Does not use ADS-B signals 


- ATC does not automatically 
relay every ADS-B signal they 
el 


Collision Avoidance (contd) 
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- Not authoritative 
e [CAS 
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- What the big boys (biz Jet and up) use 
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e Authoritative 


e Pilot can use even if other aircraft not In 
sight 
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Transponders 


* Mode S used in ADS 
* Airliners have at least 2 
e Signals are used for collision avoidance 
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Attacking ADS-B 


= Ч = oA —— ЧР —— = = Эрч Ээ Wo / — а ыл а л а 


Attacking engine systems 
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- Some information may be sent via 
ACARS to airline and/or manufacturer 


e Some engine control systems are 
electronic 


- All have purely mechanical backup 


- Most only trim mechanical system 
electronically 


e Used for 
£ - Weather 
A - Delays 
. A - Updated flight plans 
- Maintenance information 


Attacking ACARS 


* Hypothetically could create fake 
messages from plane to ground 


* Not a practical way to take over an 
airplane ND: 


ACARS MESSAGE 


Closing Thoughts 


* There is certainly the potential to annoy 
ATC and/or small aircraft 


e Increasing automation while continuing 
with unsecured protocols is problematic 


* Airliners are relatively safe (for now) 


